Users and vendors should team up over cybersecurity

Individual users, businesses, the government and vendors all need to more aware of the dangers of the Internet, according to a group of security experts.

By
Grant Gross, IDG News Service
| Oct 17, 2008

| IDG News Service

Share

TwitterFacebookLinkedInGoogle Plus

Individual users, businesses, the government and vendors all need to more aware of the dangers of the Internet, according to a group of security experts.

The Internet is vulnerable at multiple levels and each of those groups play a part in protecting cyberspace, said Steve DelBianco, executive director of NetChoice, an ecommerce trade group.

NetChoice, focused much of its attention on user behaviour, saying that Internet users need to be better educated about types of social-engineering attacks. Last week, the US Federal Trade Commission issued a warning about new phishing e-mail scams that identify the sender as a bank or mortgage lender that has taken over the e-mail recipient's account. The e-mails ask the recipients to click a link to confirm personal information, but the link takes them to a site harvesting personal information, not to a real financial institution.

This attack can look credible, given the number of bank and mortgage lender failures in the US right now, DelBianco said. "The bad guys are clever, and they're getting badder," he said during a cybersecurity event in Washington, DC.

NetChoice's report, Hardening the Security Stack," described potential vulnerabilites directed at user behaviour and the DNS, two layers of the so-called Internet stack identified by the group. It would be "phenomenally expensive" to implement proactive, tech-based security at every layer of the stack, which also includes operating systems, software and internal network services.

"Responsibility for cybersecurity lives at all layers of the security stack, not in any one layer," said the report, co-authored by DelBianco. "Simply put, there is no silver bullet."

The report calls on tech vendors to implement multifaceted security programmes, including user education, as well as hardened software and equipment upgrades aimed at security. Government agencies can test new technologies and ensure that businesses use proper safeguards, the report said. The government also needs to maintain high standards for its tech vendors, the report added.

Ken Silva, senior vice president and chief technology officer at .com and .net registry operator VeriSign, agreed with the NetChoice report, but he called on individual computer users to be vigilant about cybersecurity. Individual users are often the target and often the cause of many cybersecurity problems, he said.

"Anyone who wants your money will find very creative ways to get it, legitimate or not," he said. "Most security vulnerabilities rest between the keyboard and the back of the chair."

The U.S. could make significant progress in fighting cybercrime if Internet users were more wary of phishing and other scams, if individuals and businesses changed static passwords and if laptops included several layers of protection against data theft when they were lost and stolen, Silva said.

However, it's not always easy to see cybercriminals at work, Silva added. Earlier this decade it was fairly easy to tell if a computer was compromised with spyware or a virus because the malware caused easily seen problems, he said. But now, many people are unaware that their computers have been compromised and are leaking personal data or are used in a botnet to send spam or attack other computers, he said.

"More things are being exploited by smarter people, and they're doing it quietly," Silva said.

Consumer education about cyberthreats needs to lose the jargon and simplify the message, added Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), a trade group focused on cybersecurity. Internet users, when they type in "www," need to think of "who, what and why," he said.

Internet users should ask themselves who wants the information they're being asked to provide, what information they're asking for and why they're asking for it, Kaiser said. If Internet users slow down and ask those questions, they may be less susceptible to phishing and other scams, he said.

"At NCSA, we really believe that user behavior matters," he said. "They have to pay attention when they're using the Internet."